Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat11 for openSUSE:Factory checked in at 2026-07-06 12:33:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat11 (Old) and /work/SRC/openSUSE:Factory/.tomcat11.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat11" Mon Jul 6 12:33:40 2026 rev:13 rq:1363909 version:11.0.23 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat11/tomcat11.changes 2026-06-01 18:04:11.206757365 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat11.new.1982/tomcat11.changes 2026-07-06 12:36:16.435627275 +0200 @@ -1,0 +2,215 @@ +Fri Jul 3 10:17:12 UTC 2026 - Ricardo Mestre <[email protected]> + +- Upgrade libtcnative to v2 (bsc#1232390) + +------------------------------------------------------------------- +Wed Jul 1 12:15:46 UTC 2026 - Ricardo Mestre <[email protected]> + +- Update to Tomcat 11.0.23 + * Fixed CVEs: + + CVE-2026-55956: Security constraints for default servlet ignored method + (bsc#1269907) + + CVE-2026-55955: EncryptInterceptor not protected against replay attacks + (bsc#1269908) + + CVE-2026-55276: Logged effective web.xml is incomplete (bsc#1269909) + + CVE-2026-53434: Invalid CRL configuration doesn't trigger failure for FFM + Connector (bsc#1269824) + + CVE-2026-53404: Bad ornext processing in RewriteValve (bsc#1269910) + + CVE-2026-50229: XSS in number guess example (bsc#1269791) + * Catalina + + Add: Add support for literal '%' characters in access log output. Based on + pull request #1002 by Fabian Hahn. (markt) + + Fix: Lower the log level to debug when OpenSSL initialization fails in + OpenSSLLifecycleListener to avoid stack traces when libssl.so is not + present and to align the behavior of the isAvailable() check with the + AprLifecycleListener and gracefully fail when natives are not present. + (csutherl) + + Fix: 70038: Cookie.clone() should also clone the internal attribute map. + (markt) + + Code: Remove unnecessary code from the SSI processing engine that was + duplicating some of the normalisation checks. (markt) + + Fix: Cleaner handling of invalid SPNEGO tokens. (remm) + + Fix: Avoid some NPEs in the Connector class on an uninitialize protocol. + (remm) + + Fix: Incorrect session average life calculation. (remm) + + Fix: Improve robustness on using Pipeline.setBasic on a running pipeline. + (remm) + + Fix: Avoid any init parameter updates when conflicts are found for + filters, similar to what is done for servlets, as required by the servlet + specification. (remm) + + Fix: Fix container event cleanups in some edge cases. (remm) + + Fix: Check for last-modified header in ExpiresFilter when a servlet uses + addDateHeader to avoid wrongly considering it has been set. (remm) + + Fix: Fix hour unit used by ExpiresFilter. (remm) + + Fix: Remove exception swallowing in DataSourceStore to align it with + FileStore and avoid session loss on errors. (remm) + + Fix: Add support for single-quote escaped literal as well as quoted + literals in DateFormatCache. (schultz) + + Fix: On JAAS logout, clear out role principals on the subject that were + added on commit, as recommended by the JAAS specification. (remm) + + Fix: MemoryRealm should not add a dummy role when none is specified in the + configuration. (remm) + + Fix: DataSourceUserDatabase should return a null principal on a non + existing user. (remm) + + Fix: Fix shared lock expiration in WebDAV. (remm) + + Fix: Inaccurate session exipration statistics when using the persistent + manager. (remm) + + Fix: Skip BOM when serving files with UTF-32 encoding. (remm) + + Fix: Mixup of WrapperListener and WrapperLifecycle elements in + storeconfig. (remm) + + Fix: Incorrect processing of modified users in DataSourceUserDatabase. + (remm) + + Update: Clarify behavior in the UserDatabase for user, role and group + creation that it does not immediately override existing elements. Removal + (or update) needs to be used instead. (remm) + + Fix: 70049: Align the web application class loader with parent class + loaders and swallow any errors caused by invalid paths when looking up + resources and behave as if the resources were not found in that case. + (markt) + + Fix: Improve validation of Range and Content-Range parsers so invalid + ranges trigger a 4xx response rather than a 500 response. Pull request + #1012 provided by Sahana Surendra Bogar. (markt) + + Fix: Fix connection leak in ProxyErrorReportValve. (remm) + + Fix: When using the RewriteValve, %{SSL:HTTPS} now returns on or off + rather than true or false to align with httpd. (markt) + + Fix: Reset the encoding used for query string parameters between requests + in case an application changed the encoding in a previous request. (markt) + + Fix: When encoding URLs with the CsrfPreventionFilter, don't add the nonce + to URLs that are known not to require it. (markt) + + Fix: Fix SSO cookie partitioned configuration. (remm) + + Fix: Fix CombinedRealm isAvailable, it allows authentication if at least + one sub realm is available. (remm) + + Fix: 70048: Correctly handle asynchronous requests in PersistentValve. + (markt) + + Fix: Improve the detection of cross-context dispatches when using a + RequestDispatcher. (markt) + + Fix: Fix various instances of double decoding of URL patterns configured + either programmatically or in web.xml. (remm/markt) + + Fix: Align the rewrite conditions ornext flag processing with mod_rewrite, + which follows a purely sequential evaluation strategy. (remm) + + Fix: Update default web.xml version to match supported Servlet + specification version. (markt) + + Fix: Change the default for the useRedirect attribute of the + ProxyErrorReportValve from true to false. (markt) + + Add: Add support for the showReport attribute in JsonErrorReportValve and + ProxyErrorReportValve. When set to false, detailed error information + (message, description, stack trace) is suppressed from error responses. + (dsoumis) + + Fix: Avoid a NoClassDefFoundError at startup when catalina-tribes.jar is + removed but catalina-ha.jar is present and the Cluster element is enabled + in server.xml. Cluster digester rules are now fully conditional on both + JARs being available. (dsoumis) + + Fix: Fix a potential deadlock when copying resources using WebDAV. (markt) + + Fix: Add jakarta., org.apache.catalina. and org.apache.tomcat.to the list + of reserved prefixes for SSI variables and request attributes. (markt) + + Fix: Missing URL decoding when processing addMapping on a Servlet + registration. (remm) + + Fix: The Timeout WebDAV header allows comma separated values (according to + the examples in the RFC). Use the first acceptable value. (remm) + + Fix: Fix various issues when logging the effective web.xml for a web + application. Empty sections are no longer logged. Special roles and empty + authorisation constraints are included. All session cookie attributes are + included. (markt) + + Fix: Expand the write lock for the save process in the MemoryUserDatabase + to avoid concurrency issues with the file save operations. (markt) + + Fix: Ensure atomic session persistence in FileStore. Based on pull request + #1016 by sahvx655-wq. (markt) + + Fix: Do not ignore methods configured on security constraints that map to + the default servlet. (markt) + * Cluster + + Fix: Expand wording and increase visibility of log message when cloud + membership is configured without a trust store as all certificates will be + trusted in this configuration. (markt) + + Fix: Ensure listeners are correctly added and removed when configuring the + channel coordinator. (markt) + + Fix: Fix some concurrency issues in FragmentationInterceptor. (markt) + + Fix: Fix some concurrency issues in OrderInterceptor. (markt) + + Fix: Fix some concurrency issues in TwoPhaseCommitInterceptor. (markt) + + Fix: Fix concurrency issues generating MD5 digests in the + CloudMembershipProvider implementations. (markt) + + Add: Add replay protection to the EncryptInterceptor. This us a breaking + change for the EncryptInterceptor.(markt) + * Coyote + + Add: Log a suitable warning if an encrypted PEM file is detected using an + insecure form for encryption. (markt) + + Fix: If TLS groups have been configured, use the configured groups rather + than using OpenSSL's default TLS groups when using Tomcat Native with + OpenSSL based connectors. (markt) + + Fix: For HTTP/2, ensure that any in progress request body reads are + cancelled if the container resets the associated stream. This prevents + delays waiting for reads to time out when it is known that no more data + will be received. (markt) + + Fix: Ensure that malformed HTTP/2 messages that should trigger a stream + reset do so, rather than triggered a connection close. (markt) + + Fix: Improve enforcement of header trailer allow list for HTTP/2. (remm) + + Fix: 70050: Avoid NPE when no header frame is processed in HTTP/2, + following refactor clean-up of header buffer. (remm) + + Fix: Properly use pollerThreadPriority for the NIO poller thread. (remm) + + Fix: Fix MessageByte.equals if called on a null MB. (remm) + + Fix: Call the delegate key manager in JSSE to retrieve the server key. + (remm) + + Fix: Avoid overflow scenarios in Asn1Parser. (remm) + + Fix: 70091: Add a new attribute, allowSchemeMismatch to Http2Protocol that + allows the consistency check for the scheme provided by the user agent to + be bypassed. (markt) + + Fix: isTrailerFieldsReady was always returning true. (remm) + + Fix: Align OpenSSL/Panama TLS implementation with other implementations + and throw an exception if there is an error loading the provided CRL(s). + (markt) + + Fix: Parsing of OpenSSL format cipher expressions incorrectly stopped if + @STRENGTH was encountered, ignoring any subsequent expressions. (markt) + + Fix: Handle the case where the HTTP/2 payload length is insufficient for + the mandatory data required by the flags set in the header. (markt) + + Fix: 70102: Correct expected size of ticket keys when calling + setSessionTicketKeys with an FFM connector. (markt) + + Fix: 69988: Fix post handshake authentication for TLS 1.3. It was broken + by a breaking change in OpenSSL between 1.1.1 and 3.0.0. (markt) + + Fix: When processing an OpenSSL cipher specification, fully align the + order of the resulting ciphers with the order produced by OpenSSL. (markt) + + Add: Add support for Brainpool TLS groups. Patch provided by YStankov. + (schultz) + + Update: Update both the minimum and recommended version for Tomcat Native + 2.x to 2.0.15. (markt) + + Update: Update the minimum version for Tomcat Native 1.x to 1.3.8. (markt) + * Jasper + + Fix: Fix possible EL argument mismatch when it was set to null. (remm) + + Fix: Fix thread safety of TagPluginManager. (remm) + + Fix: Correctly use flush on JSP include. (remm) + * Web applications + + Add: Manager: Add checks to ensure that any uploaded files are uploaded to + the expected location. (markt) + + Add: Manager: Add checks to ensure that the requested context path for a + deployed WAR, directory or descriptor file is valid. (markt) + + Add: Documentation: Expand the description of some of the attributes of + the CrawlerSessionManagerValve. (markt) + + Fix: Documentation: Clearer description and correct documented default for + ocspSoftFail. (markt) + + Fix: Fix double escaping in the context names for the JSON mode of the + manager servlet. (remm) + + Fix: Manager: Ensure automatic deployment does not trigger an undeployment + during a Manager triggered web application reload. (markt) + + Fix: Documentation: Provide better documentation for the scheme and secure + attributes of a Connector. (markt) + * Websocket + + Fix: Incorrect Future.isDone() return by AsyncChannelWrapperSecure. (remm) + + Fix: Trigger standard WebSocket error handling if a call to + Endpoint.onOpen() fails for a programmatic endpoint. (markt) + + Fix: 70110: Fix memory leak if a call to Endpoint.onOpen() fails for a + programmatic endpoint. Test case provided by uabdur. (markt) + + Fix: If a client presents invalid parameters when negotiating a WebSocket + extension, decline the negotiation offer that includes the invalid + parameters rather than failing the connection. Pull request #1019 provided + by sahvx655-wq. (markt) + * Other + + Fix: Use per connection authenticator when executing an Ant task. + (remm/markt) + + Update: Update Commons Daemon to 1.6.1. (markt) + + Fix: Prevent duplicate log messages when clustering JARs are not present + on startup. (csutherl) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + + Update: Update the packaged version of the Tomcat Migration Tool for + Jakarta EE to 1.0.12. (markt) + + Update: Update Tomcat Native to 2.0.15. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-11.0.22-src.tar.gz apache-tomcat-11.0.22-src.tar.gz.asc New: ---- apache-tomcat-11.0.23-src.tar.gz apache-tomcat-11.0.23-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat11.spec ++++++ --- /var/tmp/diff_new_pack.sTXubC/_old 2026-07-06 12:36:17.503664322 +0200 +++ /var/tmp/diff_new_pack.sTXubC/_new 2026-07-06 12:36:17.507664460 +0200 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 11 %define minor_version 0 -%define micro_version 22 +%define micro_version 23 %define java_major 1 %define java_minor 17 %define java_version %{java_major}.%{java_minor} @@ -121,7 +121,7 @@ Requires: apache-commons-logging Requires: apache-commons-pool2 Requires: java >= %{java_version} -Requires: libtcnative-1-0 >= 1.2.38 +Requires: libtcnative-2-0 Requires: logrotate Requires(post): %fillup_prereq Requires(post): libxslt-tools ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.sTXubC/_old 2026-07-06 12:36:17.575666819 +0200 +++ /var/tmp/diff_new_pack.sTXubC/_new 2026-07-06 12:36:17.583667096 +0200 @@ -1,6 +1,6 @@ -mtime: 1779980286 -commit: 9be1b377d039958783ab2f1a7b20bb4154beacc96732c11537e9aec34528f549 +mtime: 1783077737 +commit: bbd15387b04146f3ee0763d72af7fe292e066b50a001b71753373c5da1d55f3e url: https://src.opensuse.org/java-packages/tomcat11 -revision: 9be1b377d039958783ab2f1a7b20bb4154beacc96732c11537e9aec34528f549 +revision: bbd15387b04146f3ee0763d72af7fe292e066b50a001b71753373c5da1d55f3e projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-11.0.22-src.tar.gz -> apache-tomcat-11.0.23-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat11/apache-tomcat-11.0.22-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat11.new.1982/apache-tomcat-11.0.23-src.tar.gz differ: char 13, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-07-03 13:22:17.000000000 +0200 @@ -0,0 +1 @@ +.osc
